Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear XStream default whitelist #477

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Merge branch 'master' of https://github.com/pippo-java/pippo into fix…
…_454_2
  • Loading branch information
rygel committed Nov 1, 2018
commit a2338893f47ccfbf754786ba92f5dbdf07673940
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@
*/
package ro.pippo.xstream;

import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.security.NoTypePermission;
import org.kohsuke.MetaInfServices;
import ro.pippo.core.Application;
import ro.pippo.core.ContentTypeEngine;
@@ -45,13 +45,14 @@ public String getContentType() {

private XStream xstream() {
XStream xstream = new XStream();

// allow annotations on models for maximum flexibility
xstream.autodetectAnnotations(true);

// prevent xstream from creating complex XML graphs
xstream.setMode(XStream.NO_REFERENCES);

// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
Copy link
Member

@decebals decebals Nov 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, in the end this is the single modification.


//setup security
xstream.allowTypes((String[]) WhitelistObjectInputStream.getWhitelistedClassNames().toArray());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why these cast (see diff).

xstream.allowTypesByRegExp((Pattern[]) WhitelistObjectInputStream.getWhitelistedRegExp().toArray());
@@ -63,7 +64,6 @@ public String toString(Object object) {
return xstream().toXML(object);
}

@SuppressWarnings("unchecked")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this annotation I retrieve a warning. The annotation was added by me in the previous commit.

@Override
public <T> T fromString(String content, Class<T> classOfT) {
return (T) xstream().fromXML(content);
Original file line number Diff line number Diff line change
@@ -22,8 +22,8 @@
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.List;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;

/**
@@ -33,8 +33,8 @@
*/
public class WhitelistObjectInputStream extends ObjectInputStream {

private static List<String> whiteClassNames;
private static List<Pattern> whiteRegExp;
private static Set<String> whiteClassNames;
private static Set<Pattern> whiteRegEx;

static {
loadWhitelist(WhitelistObjectInputStream.class.getResourceAsStream(PippoConstants.LOCATION_OF_PIPPO_WHITELIST_SERIALIZATION));
@@ -46,7 +46,7 @@ public WhitelistObjectInputStream(InputStream in) throws IOException {

protected Class<?> resolveClass(ObjectStreamClass descriptor) throws ClassNotFoundException, IOException {
String className = descriptor.getName();
if ((!isWhiteListed(className)) && (!isWhiteListedRegex(className))) {
if (!isWhiteClass(className)) {
throw new InvalidClassException("Unauthorized deserialization attempt", className);
}

@@ -71,33 +71,23 @@ private boolean isWhiteClass(String className) {
return false;
}

private boolean isWhiteListedRegex(String className) {
for (Pattern pattern : whiteRegExp) {
if (pattern.matcher(className).matches()) {
return true;
}
}

return false;
}

/**
* Load the whitelist from an {@link InputStream}.
* The content of the {@code InputStream} is in format:
* {@code
* # Java
* java.util.ArrayList
* java.util.HashMap
* A regular expression whitelisting the whole java.lang package and its sub-packages.
* /java.lang.* /
* # A regular expression whitelisting the whole "java.lang" package and its sub-packages
* >java.lang.*
*
* # Pippo
* ro.pippo.session.DefaultSessionData
* ro.pippo.core.Flash
* }
*
* A line that starts with {@code #} is a comment and will be ignored.
* A line that starts and ends with {@code /} is interpreted as a regular expression.
* A line that starts with {@code >} is interpreted as a regular expression.
*/
private static void loadWhitelist(InputStream input) {
String content;
@@ -116,8 +106,6 @@ private static void loadWhitelist(InputStream input) {
if (line.startsWith("#")) {
// it's a comment; ignore line
continue;
} else if (line.startsWith("/") && (line.endsWith("/"))) {
addWhiteRegExp(Pattern.compile(line.substring(1, line.length() - 2)));
}

if (line.startsWith(">")) {
@@ -134,24 +122,26 @@ private static void addWhiteClassName(String className) {
whiteClassNames.add(className);
}

private static void addWhiteRegExp(Pattern pattern) {
whiteRegExp.add(pattern);
private static void addWhiteRegEx(String regex) {
whiteRegEx.add(Pattern.compile(regex));
}

/**
* Returns the whitelisted class names.
* @return the whitelisted class names.
* Returns the white class names.
*
* @return the white class names.
*/
public static List<String> getWhitelistedClassNames() {
return whiteClassNames;
public static String[] getWhiteClassNames() {
return whiteClassNames.toArray(new String[0]);
}

/**
* Returns the whitelisted regular expressions.
* @return the whitelisted regular expressions.
* Returns the white regular expressions.
*
* @return the white regular expressions.
*/
public static List<Pattern> getWhitelistedRegExp() {
return whiteRegExp;
public static Pattern[] getWhiteRegEx() {
return whiteRegEx.toArray(new Pattern[0]);
}

}
You are viewing a condensed version of this merge commit. You can view the full changes here.